Pierluigi Paganini March 16, 2019

Secur Solutions Group data leak – Another clamorous data leak made the headlines, personal information of 808,201 blood donors in Singapore was exposed online.

The news was first reported by The Straits Times, the huge trove of data was contained in a database operated by the Secur Solutions Group Pte Ltd (SSG).

People who registered to donate since 1986 in Singapore was exposed because the company left the database unprotected on an Internet for more than two months, since January 4, 2019

“The personal information of more than 800,000 people who have donated or registered to donate blood in Singapore since 1986 was improperly put online by a Health Sciences Authority (HSA) vendor for more than two months, but access to the database was cut off soon after the discovery.” states the article published by The Straits Times.

The Singapore Health Sciences Authority (HSA) was informed of the incident on March 13 by a security expert who discovered the unsecured database on a server exposed online.

The HSA notified the incident to the donors, according to the organizations the SSG was working on a database containing registration data of 808,201 blood donors. Exposed records include name, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height, and weight.

The database did not contain other sensitive data or other medical info.

The analysis of the log confirmed that only the expert who discovered the archive accessed it in the time frame it remained exposed online, anyway, the investigation is still ongoing.

“Investigations are ongoing. Preliminary findings from HSA’s review of the database logs show that other than the cybersecurity expert who raised the alert, no other unauthorised person had accessed the database.” reads the data breach notification published by the HSA.

“SSG had placed the information we provided them on an unsecured database in an internet-facing server on 4 Jan 2019 and failed to put in place adequate safeguards to prevent unauthorised access. This was done without HSA’s knowledge and approval, and was contrary to its contractual obligations with HSA.”

Mimi Choong, HSA CEO, apologized for the incident.

“We sincerely apologise to our blood donors for this lapse by our vendor. HSA treats donor data confidentiality very seriously.” said Choong. “We would like to assure donors that HSA’s centralised blood bank system is not affected. HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information.

The Secur Solutions Group confirmed in an official statement that the database was immediately secured and hired a consultant firm to assess its IT systems.

“We have engaged external cyber security professionals, KPMG in Singapore, and initiated a thorough review of our IT systems. We are working closely with HSA and other authorities in continuing investigations.” reads the statement.

Pierluigi Paganini

(SecurityAffairs – Secur Solutions Group, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]